Messages

As I was looking at why the IPS ruleset hadn't updated since the 29th Jan, I found the below link on the Proofpoint website. This is useful as it shows when the rules were updated. Includes both open and Pro rulesets.

Of course you can also look at the logs on the IPS/IDS engine.

Some of you might know this link already. Just thought I will put it out there.

https://www.proofpoint.com/au/daily-ruleset-update-summary

Most home networks are behind a NAT. So enabling Suricata just on the WAN interface will only show traffic after the NAT which won't tell you which system inside your network was the source.

Hence the OPNSense documentation states to enable IDS/IPS on the LAN interface. The firewall already has a default deny for inbound anyway.

With public exposed things like web servers a WAF is a better choice. But probably too much for the home user to manage.

I got that error too upon enabling IPS and updating the rules. A reboot of the system fixed it for me.

Works fine for me on 22.1. Currently running in IPS mode on my LAN interface.

Running 22.1 on a Protectli Mini PC. I got the error as well upon enabling IPS. Didn't get the error when running in IDS mode. Rebooting the device seems to have fixed it for me and IPS is running normally.

I enabled the IPS on my LAN interface and I am seeing a few on these alerts. The source IP shown in the alert belongs to my Samsung Galaxy S10 phone, the destination IP is the NextDNS IP address and port is 53.

My phone is not rooted and runs Android 11. It is fully patched to December 2021. No dodgy apps as I use it for work purposes as well.

The alert detail only has a link to Spamhaus which doesn't tell me much.

The traffic is getting dropped but I don't see any issues on the phone. I am able to use everything as normal and backups to Google Drive work as normal.

Any ideas, please? I have had a look at the DNS logs from my phone in NextDNS portal and nothing stands out as suspicious.

No high memory or CPU issues on my Protectli vault.

Working fine for me on Xbox. I have alias setup for Xbox live. And the Xbox reports full open NAT. I don't see any issues in the firewall logs.

No problems detected on my Protectli vault after upgrade to 21.7.3. CPU usage is normal.

Under interfaces - overview are you seeing IPv6 details in the WAN & LAN interfaces? Also, under services - DHCPv6 - leases are you seeing IPv6 leases?

With my ISP, just enabling IPv6 wasn't sufficient. I had to "kick" the connection. This is not rebooting the modem. This is a full reset & re-authenticate. The ISP provides us with an app to do that and hence I don't need to call them. I have a static IPv4 WAN address & IPv6 address is very sticky and hence both didn't change with the reset.

Each ISP is different. Yours might not need the above.

I upgraded from 21.1.9 to 21.7 yesterday. System is running on a Protectli mini PC. Upgrade via VGA and CLI went smooth. All config was preserved. NextDNS works. System running fine.

What IPv6 rules I should add on the WAN??

I had to add these firewall rules on the WAN and LAN interfaces for IPv6 to work. Else, I was losing IPv6 after a few minutes. Has been solid since. I just upgraded to 21.7 and IPv6 still works.

Action: Pass
Direction: In
Interface: WAN
TCP/IP Version: IPv6
Protocol: UDP

Source: ANY
Port Range: from 547 to 547

Destination: ANY
Port Range: from 546 to 546

-------------------------

Action: Pass
Direction: In
Interface: LAN
TCP/IP Version: IPv4 + IPv6
Protocol: ANY

Source: LAN net
Destination: LAN Address

I have also created an Prefix Alias of type "network" for the /56 given to me by my ISP. And added a rule on the WAN to allow ICMPv6 inbound to this prefix alias. This is optional.

I had the same issue. Setting IPv6 DNS under Settings -> General -> DNS servers and selecting the WAN_DHCPv6 gateway next to DNS worked for me. Also, enabling Sensei broke IPv6 in my case. So I haven't enabled Sensei or Suricata.

Do you have IPv6 specific rules in your firewall WAN interface?

I am running the latest version of OPNsense 21.1.8_1. My ISP (Aussie Broadband, Australia) provides me with a native IPv6 connection (/128 address and prefix of /56).

Without Sensei, everything works fine. I can get to IPv6 websites and IPV6 tests (ipv6-test.com and test-ipv6.com) pass with 20/20 and 10/10. If I enable Sensei, I can't get to any IPv6 websites and the test scores drop to 4/20 and 0/10.

I have rebooted OPNsense and the issue still remains. I have also refreshed the browser cache just in case.

I have had the same issue with 21.1.7 version so its not a version issue.

Any ideas? Thanks.

Worked perfectly. Thanks very much for the detailed steps with screen shots.